A model of component Interaction 78

Most organisations today pay little attention to the inter-relationship between the Formal component, Technical component and Informal component (Koskosas et al, 2004, Backhouse et al, 1996, Solms et al, 2004, Mishra et al, 2007). The Board and senior management of organisations tend to focus more on narrow aspects such as IS/IT management rather than on a comprehensive view (Siponen et al, 2007). Deficiencies in any of these three components may result in unbalanced IS/IT security implementation. The objective of this study is to integrate the three components simultaneously throughout the IS/IT security implementation. The model of IS/IT security governance is a comprehensive conceptual framework because it emphasises the two-way relationship between each of the components, which, in this research context, means a concurrent implementation including the Formal component such as policy, the Technical component such as software or hardware and the Informal component such as culture of the employees of the organisation. The main interactions of the three components—Formal, Technical and Informal are shown in Figure 4.5. This is because IS/IT security governance and its implementation are influenced by the Formal, Technical and Informal

components. The nature of these relationship(s) highlights that interactions among the components are complex.

Figure 13Figure 4.5. Relationships between Formal, Technical and Informal components

Three primary “influence” relationships were identified as shown in Figure 4.5. First is a two- way relationship, Type 1, between the Informal and Formal components, the second is a two-way

relationship, Type 2, between the Formal and Technical components while the third is a two-way relationship, Type 3, between the Technical and Informal components. Each relationship is two- directional implying that the related components affect the formation and details of each other.

4.3.1 Relationship-Type 1 (RT1)

To simplify discussion from this point Relationship Type 1 (RT1), the relationship between the Formal and Informal components, will be referred to as RT1. It is expected that the implementation of IS/IT security requires balance between the Informal component and the Formal component. The Formal component needs to be aligned with the Informal component. For example, the implementation of an IT security policy has implications for organisational culture. This notion can be seen in the work of Solms (2004) who argued that the objective of security policy is to dictate the security behaviour of a corporation’s employees through a proper education process (Solms, 2004). However, educating employees to influence security behaviours is a challenging task in an organisation because it requires consistent, time -consuming and effective processes such as providing courses, training and refreshing security awareness to ensure that a security culture is cultivated.

The implementation of IS/IT security requires the alignment of the Informal component with the Formal component. The Informal component, like personal values, local and organisational culture, needs to be aligned with the Formal component. An example of local culture is geographic location

  Formal  component  Technical  component  Informal  component  Relationship‐Type 1  Relationship‐Type 3 Relationship‐ Type 2 

where the cultural environment of one location differs from another location. In Malaysia, corporations are influenced by regulations such as the Malaysian Code of Corporate Governance but in other countries the requirements may be different.

In RT1, the Informal component is worked in parallel with the Formal component, for example, policy is developed with reference to the corporation’s culture, norms and beliefs. In this type of relationship, the Informal component is associated with the Formal component by identifying the culture, norms and beliefs of an organisation before the Formal component is developed. By making reference to the culture and norms of corporations, policies become more effective because the corporation has incorporated individual beliefs and organisational values within the policy. For example, the writing style of formal documents should reflect the culture of an organisation to ensure that the documents are accepted and understood by all the employees from different backgrounds (Linemann, 2007).

Another example of how the Informal component is associated with the Formal component is establishment of supervision and employee’s roles (Informal component) within the security policy (Formal component). Management will be aware of the strengths, weaknesses, attitudes and capabilities of employees after receiving the security reports and security incidents results from the lower levels. Management will use this knowledge in the selection of individuals to be involved in an IS/IT security role. In other words, the Informal component assists management to make decisions on which team or individual would be most suitable for implementing a security role based on the personal values of the employees and the culture.

Figure 4.6 shows how the Formal component is connected with the Informal component.

Figure 14Figure 4.6. Formal component has a relation to Informal component

Education, training and awareness programmes are examples of the Formal component (Brian, 2001). Human resource needs such as education, training and security awareness programmes are important for the development of employee values and also organisational values. In this conceptual model the Board and senior management need to have effective risk strategies by providing the Formal component such as continuous education, training and policy awareness programmes in order to

Informal component

improve employee values and organisational values because IS/IT security risk issues are mainly caused by human actions (Dhillon et al, 2007). IS/IT security risk management components may help the Board and senior management to detect if any potential IS/IT threats were caused by human actions. Human actions relate to structures of responsibility (organisational values), supervision roles (organisational values), people with high integrity (employee values), trust among people (employee values) and ethicality (employee value).

4.3.2 Relationship-Type 2 (RT2)

The second relationship, Type 2 (RT2) considers the relationship between the Formal and Technical components. The need for alignment between the Formal component and the Technical component is emphasised in this relationship. The Formal component sets the strategic direction for the technologies and the technological implementation based on the corporation’s vision and policies. To have an effective Formal component, the organisation also needs to have an effective implementation of the Technical component so that the goal of IS/IT security can be achieved. A review of implementation of the Technical component may reveal discrepancies or identify improvements needed such that a review of the Formal component may be appropriate leading to changes to the Technical component. For example, to protect the data-base system and its critical data successfully, the policy may need to incorporate additional security software so that the alignment between the Formal component and the Technical component can be achieved.

However, after implementation, the outcomes of the Formal component and the Technical component may need to be realigned. For example, if the security level as set out in the policy was found to be too low, the policy or its implementation strategies will need to be reviewed and improved. Then, the corresponding Technical component will need to be altered to raise the level of security in order to achieve effective IS/IT security.

The Technical component will inform the Formal component of the acceptance of the corporation’s vision and policies among employees. Let us consider the following scenario. The IS/IT security reports of a corporation show that the number of Spams has increased gradually over the past few years. The management found that Spam filter software has not reduced the number of Spams. Hence, to improve the deficiencies of the Technical component it may be necessary to review policies and IS/IT security management strategies to determine if any up-dates are needed. In this case, the

management may have to reshuffle the IS/IT strategies by implementing Virtual Private Networks to heighten the security over the corporation’s network.

4.3.3 Relationship Type 3 (RT3)

Finally, the third relationship, Type 3 (RT3) refers to the relationship between the Informal and Technical components. The alignment of components is needed in this type of relationship to achieve IS/IT security. Misalignment of components may increase business losses in the organisation because up to 70% of the security incidents by number are due to non-deliberate actions, e.g., ignorance of responsibility (McIlwraith, 2006). This study identified that the major reason for these incidents was the lack of supervisory roles and unclear structures of responsibility in security roles in the organisation.

The implementation of the Technical component is likely to be associated with the Informal component through the values of the workers and of the organisational values. This may be quite subtle and be reflected in the understandings of what implementation actually means. For example, an understanding of what security means and the sharing of permissions to access certain security levels are examples of how the Informal component needs to be aligned with the Technical component. The values of workers are important in the Technical component because security issues are mainly social problems (Dhillon et al, 2000), where security procedures cannot be successfully implemented without high employee values and high organisational values. For example, individuals who have inadequate employee values and lack of supervision by their higher management may be able to change the security of a company’s database settings and its system privileges for achieving their own benefits or other intentional acts. Lack of organisational values also has a link to the state of employee values, such that unclear structures of responsibility and supervisory roles may lead to bad corporate governance practices (e.g., employees repeat making errors due to no controls and effective monitoring by supervisor, the upper management level).

Conceptually, the Informal component and the Technical component are partners and need to be balanced with each other. An effective Informal aspect such as norms and beliefs, including employee values and organisational values, may improve positive employee perceptions of job responsibilities in certain IS/IT system procedures. The management should draw upon the culture, norms and beliefs of the organisation before embarking the Technical component on real practices. The employee values and organisational values play significant roles in achieving IS/IT security procedures (Dhillon, 2000).

However, conversely, the Technical component also needs to be aligned with the Informal component. In this case, the implementation of IS/IT procedures may reveal discrepancies and unexpected behaviour from the employees such as stealing and altering other employees’ data. If any deficiency happened in this relationship, the organisation also needs to revise or have effective management strategies to determine the capabilities of the organisation (e.g., strengths, weaknesses, threats, opportunities) in order to achieve IS/IT security. In the Technical component, the management will review the technological reports such as the network log, database access log, malicious activities, log information about said activities and report activities. If the upper level management or supervisor of the responsibility finds any suspicious activities in the employees’ actions, the supervisor has the responsibility to give advice, reprimands or soft reminders to ensure that they comply with the rules, policies and technical procedures of IS/IT security. From the management perspective, once the potential IS/IT security issues have been identified from the Informal component, assessment and mitigation need to be addressed effectively and efficiently in the technical component. For example, the management needs to consider the mitigation in the technical perspective, where IT security controls seemed not effective enough, the real time/automatic security system controls including the Intrusion Prevention System (extension of Intrusion Detection System) is required to be actively in place to stop deliberate or unintended acts that are detected coming into IT systems and internal networks. There are a few technical processes identified about how Intrusion Prevention Systems prevent and block intrusions that are detected by the actions;

1. Sending an alarm.

2. Dropping the malicious packets. 3. Resetting the connection.

4. Blocking the traffic from the offending IP address.

(Boyles, 2010, p. 258)

4.4 Risk Management and Internal Controls: Relationship with the three components and